Key

This line was added.

This line was removed.

Formatting was changed.

Comment:
Corrected links that should have been relative instead of absolute.

JBoss Security Update for Bedework 3.7

As you may be already aware from messages on the Bedwork lists and/or the JBoss list, a vulnerability has been identified with respect to the JBoss JMX console. Although this vulnerability is in JBoss, not Bedework itself, Bedework installations may be affected.

The Bedework 3.7 quickstart has been modified to make the JMX console more secure. All future Bedework releases will inherit these changes.

Simply performing a subversion update to your existing installation will not address the vulnerability. To secure your JBoss installation, you need to to "manually" follow the procedure described below:

1. Locate the <security-constraint> element (around line 101) in the filejboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF/web.xml

2. Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.

To determine if your JBoss instance has been compromised, look in directoryjboss-5.1.0.GA/server/default/deploy/management/

If you see the directoryiesvc.warthen your instance has been infected.